Bug #61046 [Opn]: Segfault when memory limit is hit while copying hash table

2012-02-10 Thread rasmus 
Edit report at https://bugs.php.net/bug.php?id=61046&edit=1

 ID: 61046
 Updated by: ras...@php.net
 Reported by:ni...@php.net
 Summary:Segfault when memory limit is hit while copying hash
 table
 Status: Open
 Type:   Bug
 Package:Reproducible crash
 PHP Version:5.4.0RC7
 Block user comment: N
 Private report: N

 New Comment:

Same here. Reproducable on 64-bit Linux with memory_limit set to "512k".

The segfault is here:

zend_mm_remove_from_free_list (heap=0xf71730, mm_block=0x77fae1c8) at 
/home/rasmus/php-src/branches/PHP_5_4/Zend/zend_alloc.c:805
805 ZEND_MM_CHECK_TREE(mm_block);

(gdb) p *mm_block
$2 = {info = {_size = 16400, _prev = 57}, prev_free_block = 0x77fae1c8, 
next_free_block = 0x77fae1c8, parent = 0x0, child = {0x0, 0x0}}

Note that parent is NULL there and ZEND_MM_CHECK_TREE tries to dereference 
*parent


Previous Comments:

[2012-02-10 17:46:09] jpa...@php.net

Notice that I only reproduce with memory_limit set to accurate 512k , not 500k 
as 
in bug text, nor even 511k


[2012-02-10 17:34:21] jpa...@php.net

What I can say :

- I dont reproduce on 5.3.10
- For 5.4, disabling ZendMM with USE_ZEND_ALLOC=0 makes the segfault disappear
- For 5.4, changing the ZendMM segment size with ZEND_MM_SEG_SIZE={val} makes 
the 
segfault disappear, I havent tested all the possible values for SEG_SIZE.
As a reminder, ZendMM default SEG_SIZE is set to 256k


[2012-02-10 17:31:28] ni...@php.net

GDB Stacktrace:

#0  zend_mm_remove_from_free_list (heap=0x88da8d8, mm_block=0xb7fc5308)
at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:805
#1  0x083ad608 in _zend_mm_free_int (heap=0x88da8d8, p=0xb7fc52f0)
at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:2101
#2  0x083cd657 in destroy_op_array (op_array=0x8a5d4c8, tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:380
#3  0x083cd777 in zend_function_dtor (function=0x8a5d4c8)
at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:124
#4  0x083e49ae in zend_hash_apply_deleter (ht=0x88dae70, p=0x8a5d498)
at /home/nikic/dev/php-src-git/Zend/zend_hash.c:650
#5  0x083e63b1 in zend_hash_reverse_apply (ht=0x88dae70, 
apply_func=0x83c7310 , tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_hash.c:804
#6  0x083c7ecb in shutdown_executor (tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_execute_API.c:304
#7  0x083d7c11 in zend_deactivate (tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend.c:934
#8  0x0836be33 in php_request_shutdown (dummy=0x0)
at /home/nikic/dev/php-src-git/main/main.c:1782
#9  0x0848d723 in do_cli (argc=4, argv=0xb3b4, tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1169
#10 0x0806eaa3 in main (argc=4, argv=0xb3b4)
at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1356


[2012-02-10 17:28:02] ni...@php.net

Description:

The attached test script triggers a segfault. It happens during the shutdown 
after the memory limit is reached in the byRef($array) line.

Test script:
---
https://bugs.php.net/bug.php?id=61046&edit=1

Bug #61046 [Opn]: Segfault when memory limit is hit while copying hash table

2012-02-10 Thread jpauli 
Edit report at https://bugs.php.net/bug.php?id=61046&edit=1

 ID: 61046
 Updated by: jpa...@php.net
 Reported by:ni...@php.net
 Summary:Segfault when memory limit is hit while copying hash
 table
 Status: Open
 Type:   Bug
 Package:Reproducible crash
 PHP Version:5.4.0RC7
 Block user comment: N
 Private report: N

 New Comment:

Notice that I only reproduce with memory_limit set to accurate 512k , not 500k 
as 
in bug text, nor even 511k


Previous Comments:

[2012-02-10 17:34:21] jpa...@php.net

What I can say :

- I dont reproduce on 5.3.10
- For 5.4, disabling ZendMM with USE_ZEND_ALLOC=0 makes the segfault disappear
- For 5.4, changing the ZendMM segment size with ZEND_MM_SEG_SIZE={val} makes 
the 
segfault disappear, I havent tested all the possible values for SEG_SIZE.
As a reminder, ZendMM default SEG_SIZE is set to 256k


[2012-02-10 17:31:28] ni...@php.net

GDB Stacktrace:

#0  zend_mm_remove_from_free_list (heap=0x88da8d8, mm_block=0xb7fc5308)
at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:805
#1  0x083ad608 in _zend_mm_free_int (heap=0x88da8d8, p=0xb7fc52f0)
at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:2101
#2  0x083cd657 in destroy_op_array (op_array=0x8a5d4c8, tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:380
#3  0x083cd777 in zend_function_dtor (function=0x8a5d4c8)
at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:124
#4  0x083e49ae in zend_hash_apply_deleter (ht=0x88dae70, p=0x8a5d498)
at /home/nikic/dev/php-src-git/Zend/zend_hash.c:650
#5  0x083e63b1 in zend_hash_reverse_apply (ht=0x88dae70, 
apply_func=0x83c7310 , tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_hash.c:804
#6  0x083c7ecb in shutdown_executor (tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_execute_API.c:304
#7  0x083d7c11 in zend_deactivate (tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend.c:934
#8  0x0836be33 in php_request_shutdown (dummy=0x0)
at /home/nikic/dev/php-src-git/main/main.c:1782
#9  0x0848d723 in do_cli (argc=4, argv=0xb3b4, tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1169
#10 0x0806eaa3 in main (argc=4, argv=0xb3b4)
at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1356


[2012-02-10 17:28:02] ni...@php.net

Description:

The attached test script triggers a segfault. It happens during the shutdown 
after the memory limit is reached in the byRef($array) line.

Test script:
---
https://bugs.php.net/bug.php?id=61046&edit=1

Bug #61046 [Opn]: Segfault when memory limit is hit while copying hash table

2012-02-10 Thread jpauli 
Edit report at https://bugs.php.net/bug.php?id=61046&edit=1

 ID: 61046
 Updated by: jpa...@php.net
 Reported by:ni...@php.net
 Summary:Segfault when memory limit is hit while copying hash
 table
 Status: Open
 Type:   Bug
 Package:Reproducible crash
 PHP Version:5.4.0RC7
 Block user comment: N
 Private report: N

 New Comment:

What I can say :

- I dont reproduce on 5.3.10
- For 5.4, disabling ZendMM with USE_ZEND_ALLOC=0 makes the segfault disappear
- For 5.4, changing the ZendMM segment size with ZEND_MM_SEG_SIZE={val} makes 
the 
segfault disappear, I havent tested all the possible values for SEG_SIZE.
As a reminder, ZendMM default SEG_SIZE is set to 256k


Previous Comments:

[2012-02-10 17:31:28] ni...@php.net

GDB Stacktrace:

#0  zend_mm_remove_from_free_list (heap=0x88da8d8, mm_block=0xb7fc5308)
at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:805
#1  0x083ad608 in _zend_mm_free_int (heap=0x88da8d8, p=0xb7fc52f0)
at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:2101
#2  0x083cd657 in destroy_op_array (op_array=0x8a5d4c8, tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:380
#3  0x083cd777 in zend_function_dtor (function=0x8a5d4c8)
at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:124
#4  0x083e49ae in zend_hash_apply_deleter (ht=0x88dae70, p=0x8a5d498)
at /home/nikic/dev/php-src-git/Zend/zend_hash.c:650
#5  0x083e63b1 in zend_hash_reverse_apply (ht=0x88dae70, 
apply_func=0x83c7310 , tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_hash.c:804
#6  0x083c7ecb in shutdown_executor (tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend_execute_API.c:304
#7  0x083d7c11 in zend_deactivate (tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/Zend/zend.c:934
#8  0x0836be33 in php_request_shutdown (dummy=0x0)
at /home/nikic/dev/php-src-git/main/main.c:1782
#9  0x0848d723 in do_cli (argc=4, argv=0xb3b4, tsrm_ls=0x88d9050)
at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1169
#10 0x0806eaa3 in main (argc=4, argv=0xb3b4)
at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1356


[2012-02-10 17:28:02] ni...@php.net

Description:

The attached test script triggers a segfault. It happens during the shutdown 
after the memory limit is reached in the byRef($array) line.

Test script:
---
https://bugs.php.net/bug.php?id=61046&edit=1